Facebook -owned WhatsApp is also making a pretty big change as a result of GDPR — noting in its FAQs that it’s raising the minimum age for users of the messaging platform to 16 across the “European Region“. This includes in both EU and non-EU countries (such as Switzerland), as well as the in-the-process-of-brexiting UK (which is set to leave the EU next year).

Where teens are concerned GDPR introduces a new provision concerning children’s personal data — setting a 16-year-old age limit on kids being able to consent to their data being processed — although it does allow some wiggle room for individual countries to write a lower age limit into their laws, setting a hard cap at 13-years-old.

WhatsApp isn’t bothering to try to vary the age gate depending on limits individual EU countries have set, though. Presumably to reduce the complexity of complying with the new rules.

But also likely because it’s confident WhatsApp-loving teens won’t have any trouble circumventing the new minimum age limit. And therefore that there’s no real risk to its business because teenagers will easily ignore the rules.

Certainly it’s unclear whether WhatsApp and its parent Facebook will do anything at all to enforce the age limit — beyond asking users to state they are at least 16 (and taking them at their word). So in practice, while on paper the 16-years-old minimum seems like a big deal, the change may do very little to protect teens from being data-mined by the ad giant.

We’ve asked WhatsApp whether it will cross-check users’ accounts with Facebook accounts and data holdings to try to verify a teen really is 16, for example, but nothing in its FAQ on the topic suggests it plans to carry out any active enforcement at all — instead it merely notes:

Creating an account with false information is a violation of our Terms

Registering an account on behalf of someone who is underage is also a violation of our Terms

Ergo, that does sound very much like a buck being passed. And it will likely be up to parents to try to actively enforce the limit — by reporting their own underage WhatApp-using kids to the company (which would then have to close the account). Clearly few parents would relish the prospect of doing that.

Yet Facebook does already share plenty of data between WhatsApp and its other companies for all sorts of self-serving, business-enhancing purposes — and even including, as it couches it, “to ensure safety and security”. So it’s hardly short of data to carry out some age checks of its own and proactively enforce the limit.

One curious difference is that Facebook’s approach to teen usage of WhatsApp is notably distinct to the one it’s taking with teens on its main social platform — also as it reworks the Facebook T&Cs ahead of GDPR.

Under the new terms there Facebook users between the ages of 13 and 15 will need to get parental permission to be targeted with ads or share sensitive info on Facebook.

But again, as my TC colleague Josh Constine pointed out, the parental consent system Facebook has concocted is laughably easy for teens to circumvent — merely requiring they select one of their Facebook friends or just enter an email address (which could literally be an alternative email address they themselves control). That entirely unverified entity is then asked to give ‘consent’ for their ‘child’ to share sensitive info. So, basically, a total joke.

As we’ve said before, Facebook’s approach to GDPR ‘compliance’ is at best described as ‘doing the minimum possible’. And data protection experts say legal challenges are inevitable.

Also in Europe Facebook has previously been forced via regulatory intervention to give up one portion of the data sharing between its platforms — specifically for ad targeting purposes. However its WhatsApp T&Cs also suggest it is confident it will find a way to circumvent that in future, as it writes it “will only do so when we reach an understanding with the Irish Data Protection Commissioner on a future mechanism to enable such use” — i.e. when, not if.

Last month it also signed an undertaking with the DPC on this related to GDPR compliance, so again appears to have some kind of regulatory-workaround ‘mechanism’ in the works.